Grand Challenges for Privacy in a Networked World

The first order of business at the Privacy for a Networked World workshop was to collaboratively identify the topics for the day’s discussion. To accomplish this, we asked all participants to individually and collaboratively identify the key challenges of interactional privacy. We discussed and recorded these challenges, and then proceeded to develop a core set of themes for the workshop. In particular, we identified:

  • Business and User Tensions
  • Boundary Regulation and Temporality
  • Design
  • Methods

as the four grand challenges of the workshop.  Participants were then split into affinity groups around the challenges.  Because our workshop was fairly intimate, we ended up tackling the first three challenges, though many at the workshop indicated interest in a substantive discussion of the methodological challenges of studying interactional privacy.  We feel strongly that methods for interactional privacy research is a great subject for a future workshop!

For your reference, a plain text version of the grand challenges as well:


  • Tech support for decisions (2)
  • Display of privacy policies (2)
  • Embedding information about privacy in interaction design (2)
  • Making privacy fun (2)
  • Making benefits of data collection visible (2)

Conflicting Interests

  • Business/users tensions (1,2,3)

Challenges of the Domain

  • Online and offline (1,2,3)
  • Norms (1)
  • Mental models of context (1)
  • Definitions – Conceptualization of I.P. (3)
  • Decision models: Bounded rationality/limited information (2,3)
  • Forgetting (1)
  • Active boundary management (1)
  • Privacy over time – design for shifting networks (3)
  • Collaborative privacy practices (2)


  • Methods – Independent variables (1,2,3)
  • Methods – Collection techniques (1,2,3)
  • Methods – Dependent variables (1,3)
Posted in Uncategorized | Leave a comment

Theme 3: Business and User Tensions

Summary by Stephan Baumann, Alex Garnett, Alison Murphy, and Tara Whalen

Business and User Tensions:  The Problem

One of the critical privacy challenges in online interactions is the prevalent tension between users and businesses.  The primary reason for this tension is that the users’ benefits of information disclosure are not well harmonized with the business benefits. For example, users participate in information disclosure for the social benefit of strengthening existing relationships (e.g., on Facebook) and building new online relationships (e.g., through online dating sites).  However, businesses benefit from the information disclosure of users in order to collect consumer information and produce targeted advertising.

This business benefit is exemplified in behavioral economics, where businesses seek to understand individual user behaviors in order to better understand their economic decisions. As businesses provide the platforms at large-scale level they are undergoing huge investments into servers, traffic and world-class design. Therefore they are under permanent pressure to look for their return on investments. After reaching critical mass they need to keep their platforms sticky and busy to prevent being buried by competitors. Therefore, decisions on social interaction design are influenced by each of their competitors’ design practices, too.

It is in the best interest of the businesses for users to disclose as much information as possible. However, our team questions whether businesses could get more information from users by simply designing for user agency.  We believe that if they considered the following design characteristics, then they could incentivize the sharing of private information:

  • Design a comfortable and aware environment where users understand how their information is being used and where social translucence is present. Social translucence refers to Tom Erickson and Wendy Kellogg’s concept of designing systems that enable users and their activities to be visible to one another.
  • Design a familiar environment where users can expect consistent and predictable information disclosure activities. Familiarity can also refer to the use of data gathered via implicit feedback to “meet the user halfway” on repeat interaction, such as by anticipating the remainder of a URL being typed into a browser address bar.
  • Design a customizable environment where users are fully engaged with the privacy setting and information disclosure activities, even to the point where customizing their settings is easy and fun, promoting personal information ownership.

This privacy challenge regarding business and user tensions involves a number of stakeholders:

  • Users – These individuals are not homogenous and disclose information based on their own unique privacy practices.
  • Businesses – These groups strive to obtain as much user information as possible in order to make money through targeted advertising, etc. These groups also must be compliant with any applicable laws or regulations regarding data collection.
  • Designers – We consider designers to be a subgroup of the businesses because they are influenced by the businesses that they work for and they typically optimize their designs based on what their business’ objectives.
  • Regulators – The overarching stakeholder is any regulatory agency or position who ensures that users have control over their information disclosure. This group protects the users while also monitoring the businesses to ensure that they comply with any applicable laws or regulations.

Business and User Tensions:  The Proposed Solutions

Given the complexity of this privacy challenge, our group brainstormed various options for proposed solutions for how to address this tension between user and businesses.  However, our primary discussion was ultimately about what not to do.

The problem that arises from the discussion of information disclosure is that there appears to be some injustice in the massive benefits that Social Networking Sites (e.g., Facebook) reap from our data, yet users are not repaid in any way. This is primarily due to the fact that people will use the systems anyway without obtaining any compensation for disclosing our information.

Although we recognize this injustice as a problem, we believe that the worst solution is to incentive or compensate users for information disclosure because these offers will inevitably become grossly commodified.

Therefore,  we suggest that users clarify their expectations and understanding of the sites where they disclose information.  For example, Facebook offers the opportunity to disclose very personal information about oneself (birthday, contact information, location-sharing, personal status updates, etc.), yet it has a complicated privacy setting structure that gives the user options to control their information disclosure. So, users can be very public or very private when revealing information about themselves.  Therefore, the expectation of information disclosure on Facebook is much more ambiguous because of the range of privacy setting options.  On the other hand, Twitter has a more open structure and is based on brief message sharing.  Therefore, users typically expect that their information is more public than on Facebook. While it is not quite fair to suggest that the Twitter model is more functional for failing to tend to difficult-to-monitor expectations of privacy, it is perhaps not so strange that different information channels should afford different degrees of information disclosure.

As an important further note, we suggest that the design of these sites should attend to social translucence.  This includes ensuring that every recorded interaction with a system has some meaningful representation and that social interactions are reciprocal, allowing users to learn and better-embody the system’s operation over the course of normal use.

Posted in Uncategorized | Leave a comment

Theme 2: Boundary Regulation & Temporality

Summary by Pamela Wisniewski, Natalya Bazarova, Ben Marder, Antti Oulasvirta & Jayant Venkatanathan

Our Mission: Find solutions to grand challenges of Networked Privacy.  At first, we attempted to tackle “Active Boundary Management over Time within Social Networks;” however, we soon realized that this topic was much too broad. Therefore, we narrowed down our focus to the temporal aspects of boundary management and the permanence of data in Social Network Sites (SNSs). We found that solutions to this problem were still elusive, but we attempted to remain optimistic in our approach.

Problem Scenarios: Photos uploaded during college years become visible to newly friended colleagues from the workplace. The needs of a user of a location sharing service change when she is feeling down or depressed and is not in a mood to be social or interact with others. The information sharing preferences of a couple that breaks up can be different before and after the breakup. There are among the many challenges that confront users when it comes to managing their disclosures in online social networks over time. Hence it is imperative to provide the right tools and mechanisms that support users’ needs in terms of temporal management of the information that they disclose in SNSs.

Deep versus Lasting: While users can certainly benefit from better temporal control over their information disclosure, it is not clear whether consequences of providing tools to help users accomplish this goal are in line with the goals of SNSs such as Facebook. One of the goals of these companies is to have access to information about users such as the books they read, the places they visit and the topics they discuss with their friends. This information, for example, can be used to provide targeted ads to users. A possible motivation for SNSs to implement temporal boundary options that emerged in our discussions is that increased temporal control can enable users to share privacy sensitive information that they might not have otherwise shared due to precisely the kind of temporal disclosure requirements illustrated in the examples above. While this would inevitably mean that these sites facilitate easy removal of information from the sites on a time basis, this can also lead to the companies being able to collect deeper and better personal information, as opposed to information that has more permanence on the website. While the extent of the validity of this argument requires probing and further validation, it is plausible that providing for such control can be a win-win proposition for both users and businesses.

Design Solutions: With this problem and motivation in place, we went on to discuss potential tools and solutions to help users manage their boundary regulation in SNSs over time.

Increasing Temporal Awareness – A first category of solutions to emerge in our discussions were tools that enhance user awareness regarding the content and visibility of the information users had disclosed in the past. These included presenting summary statistics of posts from the past to the user (for example a tag cloud highlighting key words in her posts from a particular year) and presenting snapshots of posts from the past (for example a random photo uploaded by the user 2 years ago). The idea for this was in fact sparked off by discussions from the design team, where they had referred to this as “making it creepy!”  Other solutions towards enhancing user awareness of information shared in the past that cropped up in our discussions revolved around policy and nomenclature.  For instance, SNSs providing clarity towards the storage and accessibility of the information that users post or using terminology such as “Photo Archive” or “News Stream” to cue a temporal expectations to users. This would include avoiding confusing and misleading terms to denote features of the SNS (this is commonly referred to as “calling a spade a spade” in HCI circles).

Communicating User Expectations –  A particularly challenging aspect for users is the interaction of the online social network with the offline. Online social networks are often extensions of face to face physical networks and information disclosed online can propagate through offline channels and vice versa. Hence in a scenario where a user shares a certain piece of information in the online network and decides to delete it after a period of time, that information has been viewed by his contacts and can still be further spread via interactions offline. A solution for this problem would be to provide a feature that notifies all contacts that have viewed a post when that post is deleted. This feature, which we referred to as “social undo”, would enable these contacts to understand that the owner of that information does not want to share it any more and that they should hence not spread it any further. By integrating the ability for users to explicitly state their temporal boundaries to others within their network, SNSs could reduce the occurrence of privacy violations due to a lack of coordination. Another interesting idea was the “what happens in Facebook stays in Facebook” feature that would allow a user to flag posts that they don’t want to be discussed outside the online social network, hence implicitly conveying the same to her contacts.

Making It Fun – Next, we set out to incorporate SNS design features that could help users manage the temporal aspect of their disclosure in an enjoyable way. These included ‘time bombs’ (posts that get automatically destructed after a certain period of time), the ‘time machine’ (the ability to specify a period of time in the past and delete all posts falling within that period), the ‘time delay’ (new posts go into a ‘quarantine’ for a period of time before becoming publicly visible to contacts (this can help users retract data that they might have inadvertently shared or, for example, data that they shared when drunk that they would not have normally shared in a sober state), ‘time capsule’ (putting a post to a “capsule” that opens after some period of time, e.g. one year) and ‘time zombie’ (linking back / “resurrecting” posts from distant past). Picking up from an idea of the team that discussed the business aspects, we discussed how these tools could be made fun and engaging to the users, and the names that we gave to each of these features reflect that fun aspect that we attempted to bring in.

Summary: While these solutions may not be feasible given either the complexities of interface design or possibly a conflict of interest between the user and the SNS, our group decided that brainstorming any possible solutions is the best step to tackling the grand challenges of Networked Privacy. The grandest challenge of our research community may be to bridge the gap between SNSs and end user privacy goals instead of continuing to play a zero-sum game.

Posted in Uncategorized | Leave a comment

Theme 1: Designing for Interactional Privacy

Summary by Heather Richter Lipford, Patrick Gage Kelley, Alessandra Mazzia & Alex Smolen

The group focused on design first focused on the various problems in designing for interactional privacy. We discussed two main aspects of privacy management – designs that give privacy awareness and notice, and designs that allow for interaction for control or restriction. One of the challenges is that there are not yet a large variety of artifacts for managing one’s privacy. Thus we brainstormed ideas that went beyond current mechanisms, such as scaring people about their privacy and making privacy fun.

As we continued our discussion we realized that the grand challenge we kept coming back to was how to embed privacy information and management into the interaction with the application itself. This is important because many current designs present privacy as a separate problem, to be managed through separate interfaces. This removes privacy from the context of the social interaction. We then discussed perhaps how social cues could aid in this, such as an overshare button. Finally, we came back to the point of the workshop – in considering interactional privacy we are concerned with more than just sharing too much information. The goal is to support social interactions, so sharing too much is a problem that may lead to regret, but so is a choice to share too little and have a lack of intimacy and the benefits of social technologies

In the afternoon, we began to discuss more ideas for solutions to this grand challenge of embedding privacy interaction into the application interaction. We took some inspiration from results that have shown that privacy concerns are often correlated with prior negative experiences. Thus, we spent some time discussing how to provide such negative experiences to increase privacy behaviors, yet without actually harming the users in the process. We discussed various applications that could creep people out – Firesheep is one current example. The recent iPhone location tracking news stories are another. There are a variety of data aggregator sites and applications as well. Its not clear whether or not these have had any impact yet on user behaviors.

We then spent much time discussing the challenges of researchers doing design. As privacy is contextual, embedding privacy within application interaction is also highly contextual. So how do we as researchers come up with novel designs and demonstrate their value? How do we get new designs evaluated, when that evaluation must happen within a very specific context? So in the end, we wanted to highlight that the solutions to privacy design are also a challenge – how to encourage both practitioners and researchers to investigate and share a variety of design ideas that improve interaction privacy.

Posted in Uncategorized | Leave a comment

Privacy Task Force

A fortnight ago, at the end of the workshop, we were discussing next steps: journal special issue, community blog, further workshops, what have you.

Then, Stephan Baumann spoke up. He wanted us all to consider creating a Privacy Task Force to design interactional privacy features together. Basically, his question was: “Can we come up with a task force to work on a proposal presentation about these features in a real world social network site?

Since the idea deserves some further thought, here comes Stephan’s answer in written form, pitching the idea and calling for participation:

Yes we can. If we are brave enough. I suggested at the end of the workshop
-being really thrilled by such good at-site brainstorming- to set up a
little task force.

An interdisciplinary multinational team of computer scientists, designers,
human science experts and theorists to develop a “best-of social
translucence features” presentation to be pitched to social network providers in Germany. Why Germany? Since I am a part-time Berlin-er I could foresee to activate some contacts to social network providers foreseeing hard times with the competition against Facebook. For such providers it could be very interesting to think about “better social design for their users” … consulting deluxe for free! But not just academic bullshit but down-to-earth hands-on feature lists and a concrete working plan of how to implement.

I dont know what will happen, I can only offer to try hard …

What do you think? Share your thoughts in the comments!

Posted in Uncategorized | Leave a comment

Workshop Recap

Two weeks ago, the workshop day was finally there. It was wonderful to meet in person the people we had been e-mailing with over the past months – the crowd in the room was brilliant.

And so we workshopped from morning to evening. It all started with introductions and madness presentations (available on the Papers page) followed by a big brainstorm on the grand challenges of interactional privacy.

To stay focused, we chose to work on three challenge areas:

  1. Design challenges related to interactional privacy
  2. Active boundary management over time within social network services
  3. Tensions between users and businesses

Each breakout group worked first with characterizing the challenges, and once that was done, we thought about what the feasible solutions could look like. Slides from all three groups are available at our Slideshare site. Recaps from the groups will be posted to this blog soon.

Next to group activities, Zeynep Tufekci’s keynote challenged us to think deeper. She provoked us by asking what it means to interact in a reality that has been designed to make people click ads and how could we instead design a space for optimal social growth. A recap on Zeynep’s ideas will appear in this blog soon, too.

Finally, we concluded the official part of the day with a discussion of next steps. While the plans are still in the process of taking form, it is clear that there’s more to come. Stay tuned.

Posted in Uncategorized | Leave a comment

Workshop Papers Online

The twelve workshop papers are now available at the Papers site. Go ahead and take a look, especially if you will be attending the workshop!

Posted in Uncategorized | Leave a comment